Re: [bwm-tools-tech] bwm tools traffic shaping issue
Brought to you by:
nkukard
Menu
▾
▴
Re: [bwm-tools-tech] bwm tools traffic shaping issue
|
From: Giang Hu <fre...@gm...> - 2005-05-26 02:14:56
|
On 5/26/05, vishal singh <vis...@ho...> wrote: >=20 > Hi > even i noticed that. Does that mean firewall rules are wrong?=20 - No, I did not say "firewall rules are wrong" :-o.=20 Didnt understand "downloaded from gateway". - "downloaded from gateway" you are running services (ftp,...) on=20 192.168.1.69 <http://192.168.1.69> and then your client downloaded from it Could you tell me if I am wrong in setting up the network? My "router" has > only one i/face active, 192.168.1.69 <http://192.168.1.69>. and all=20 > packets are sent to it and > come out of it. Is that the problem?? Again, I didnt say you are any wrong and I dont know howto explain. Sorry I= =20 could not help you so far :( Its not hard to build a (more really) testing network using ip alias: - Config your "router" to run two ip. Ex: eth0:0 run 192.168.1.69/16<http://192.168.1.69/16>and eth0:1 10.0.0.1/8 <http://10.0.0.1/8> - Config your client ip something like 10.x.x.x/8 with default gw 10.0.0.1/8<http://10.0.0.1/8> - Config firewall rules and running test I mean a "suggestion", good luck :) Giang Hu=20 Vishal Singh >From: Giang Hu <fre...@gm...> > >To: bwm...@li... > >Subject: Re: [bwm-tools-tech] bwm tools traffic shaping issue > >Date: Wed, 25 May 2005 19:32:38 +0700 > > > >Hi Vishal, > > > >bwmd take traffic limiting effect only if traffic target is *QUEUE*. As > >your status: > > > >Chain bwmd (3 references) > >pkts bytes target prot opt in out source > >destination > > 14 807 QUEUE all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >0.0.0.0/0 <http://0.0.0.0/0> MARK match !0x0 > >5136 703K ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >0.0.0.0/0 <http://0.0.0.0/0> > > > >Only small *FORWARD* traffic go through *QUEUE *when all others jump to > >ACCEPT (did you downloaded from gateway? Set */nfmark/* for *INPUT*=20 > chain?) > > > >Just a though, good luck > >Giang Hu. > > > >vishal singh wrote: > > > >>Hi Nigel > >> > >>In brief, let me first describe what I am trying to do: > >> > >>I have configured one Linux Box, 192.168.1.69 <http://192.168.1.69> as = a=20 > router and installed > >>bwm tools. This has the default gateway of 192.168.1.114<http://192.168= .1.114> > >> > >>Also, I have configured another Linux Box, 192.168.1.163<http://192.168= .1.163>and made the > >>previous box as its default gateway. So anything that not on the local > >>net, goes to 192.168.1.69 <http://192.168.1.69>. > >> > >>This is my bwm firewall file: > >> > >> > >><firewall> > >><global> > >> <modules> > >> <load name=3D"ip_queue"/> > >> <load name=3D"ip_conntrack_ftp"/> > >> <load name=3D"ip_nat_ftp"/> > >> </modules> > >> > >> > >>#Classes > >> > >> <class name=3D "http_public_traffic_inout"> > >><address name=3D"http_inout" proto=3D"tcp" dst-port=3D"80"/> > >></class> > >> > >> > >><class name=3D "https_public_traffic_inout"> > >><address name=3D"https_inout" proto=3D"tcp" dst-port=3D"443"/> > >></class> > >> > >> > >><class name=3D "ftp_public_traffic_inout"> > >><address name=3D"ftp_inout" proto=3D"tcp" dst-port=3D"21"/> > >></class> > >> > >> > >> > >><class name=3D "DNS_traffic_inout"> > >><address name=3D"DNS_inout" proto=3D"udp" dst-port=3D"53"/> > >></class> > >> > >> > >><class name=3D "icmp_traffic_inout"> > >><address name=3D"icmp_inout" proto=3D"icmp" /> > >></class> > >> > >> > >> > >> > >> > >> > >><class name=3D "http_private_traffic_inout"> > >><address name=3D"http_inout" dst=3D"192.168.0.0/16 <http://192.168.0.0/= 16>"=20 > proto=3D"tcp" > >>dst-port=3D"80"/> > >></class> > >> > >><class name=3D "ftp_private_traffic_inout"> > >><address name=3D"ftp_inout" dst=3D"192.168.0.0/16 <http://192.168.0.0/1= 6>"=20 > proto=3D"tcp" > >>dst-port=3D"21"/> > >></class> > >> > >> > >><class name=3D "telnet_private_traffic_inout"> > >><address name=3D"telnet_inout" dst=3D"192.168.0.0/16 <http://192.168.0.= 0/16>"=20 > proto=3D"tcp" > >>dst-port=3D"23"/> > >></class> > >> > >> > >><class name=3D "ssh_private_traffic_inout"> > >><address name=3D"ssh_inout" dst=3D"192.168.0.0/16 <http://192.168.0.0/1= 6>"=20 > proto=3D"tcp" > >>dst-port=3D"22"/> > >></class> > >> > >> > >><class name=3D "smtp_private_traffic_inout"> > >><address name=3D"http_inout" src=3D"192.168.1.112 <http://192.168.1.112= >"=20 > proto=3D"tcp" > >>dst-port=3D"25"/> > >></class> > >> > >> > >><class name=3D "pop3_private_traffic_inout"> > >><address name=3D"pop3_inout" src=3D"192.168.1.112 <http://192.168.1.112= >"=20 > dst=3D"63.80.142.98 <http://63.80.142.98>" > >>proto=3D"tcp" dst-port=3D"110"/> > >></class> > >> > >> > >> > >> > >><class name=3D "icmp_private_traffic_inout"> > >><address name=3D"icmp_inout" dst=3D"192.168.0.0/16 <http://192.168.0.0/= 16>"=20 > proto=3D"icmp" /> > >></class> > >> > >> > >> > >> > >> > >> > >><class name=3D "http_private_traffic_outin"> > >><address name=3D"http_outin" dst=3D"192.168.0.0/16 <http://192.168.0.0/= 16>"=20 > proto=3D"tcp" dst-port=3D"80" > >>/> > >></class> > >> > >><class name=3D "ftp_private_traffic_outin"> > >><address name=3D"ftp_outin" dst=3D"192.168.0.0/16 <http://192.168.0.0/1= 6>"=20 > proto=3D"tcp" > >>dst-port=3D"21"/> > >></class> > >> > >> > >><class name=3D "telnet_private_traffic_outin"> > >><address name=3D"telnet_outin" dst=3D"192.168.0.0/16 <http://192.168.0.= 0/16>"=20 > proto=3D"tcp" > >>dst-port=3D"23"/> > >></class> > >> > >> > >><class name=3D "ssh_private_traffic_outin"> > >><address name=3D"ssh_outin" dst=3D"192.168.0.0/16 <http://192.168.0.0/1= 6>"=20 > proto=3D"tcp" > >>dst-port=3D"22"/> > >></class> > >> > >> > >><class name=3D "icmp_private_traffic_outin"> > >><address name=3D"icmp_outin" proto=3D"icmp" /> > >></class> > >> > >> > >> > >> > >><class name=3D "snmp_private_traffic"> > >><address name=3D"snmpprivate" proto=3D"tcp" dst-port=3D"161"/> > >></class> > >></global> > >> > >><acl> > >> <table name=3D"filter"> > >> <chain name=3D"INPUT"> > >> <rule target=3D"bwmd"> > >> </rule> > >> </chain> > >> <chain name=3D"OUTPUT"> > >> <rule target=3D"bwmd"> > >> </rule> > >> </chain> > >> <chain name=3D"FORWARD"> > >> <rule target=3D"bwmd"> > >> </rule> > >> </chain> > >> </table> > >></acl> > >> > >> > >><traffic> > >> <flow name=3D"total_in" max-rate=3D"64000" report-timeout=3D"60"> > >> <flow name=3D"http_https_public" max-rate=3D"16000" burst-rate=3D"1200= 00" > >>nfmark=3D"100"> > >> http_public_traffic_inout > >> https_public_traffic_inout > >> http_private_traffic_inout > >> </flow> > >> <flow name=3D"ftp_public" max-rate=3D"16000" burst-rate=3D"64000" > >>nfmark=3D"101"> > >> ftp_public_traffic_inout > >> </flow> > >> <flow name=3D"dns_icmp_public" max-rate=3D"4000" burst-rate=3D"4500" > >>nfmark=3D"102"> > >> DNS_traffic_inout > >> icmp_private_traffic_outin > >> </flow> > >> <flow name=3D"ftp_private" max-rate=3D"128000" burst-rate=3D"128000" > >>nfmark=3D"103"> > >> ftp_private_traffic_inout > >> </flow> > >> </flow> > >> > >> </traffic> > >> > >> > >></firewall> > >> > >> > >>This is the o/p of iptables -L -n -v > >> > >> > >>[root@bplinux60 bwm_tools]# iptables -L -n -v > >>Chain INPUT (policy ACCEPT 64100 packets, 8753K bytes) > >>pkts bytes target prot opt in out source > >>destination > >>8701 1178K bwmd all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> > >> > >>Chain FORWARD (policy ACCEPT 41 packets, 1772 bytes) > >>pkts bytes target prot opt in out source > >>destination > >> 47 2163 bwmd all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> > >> > >>Chain OUTPUT (policy ACCEPT 37501 packets, 5413K bytes) > >>pkts bytes target prot opt in out source > >>destination > >> 270 28205 bwmd all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> > >> > >>Chain bwmd (3 references) > >>pkts bytes target prot opt in out source > >>destination > >> 14 807 QUEUE all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> MARK match !0x0 > >>5136 703K ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> > >> > >> > >> > >>And this the o/p of iptables -L -n -v -t mangle > >> > >>[root@bplinux60 bwm_tools]# iptables -L -n -v -t mangle > >>Chain PREROUTING (policy ACCEPT 327K packets, 45M bytes) > >>pkts bytes target prot opt in out source > >>destination > >> > >>Chain INPUT (policy ACCEPT 10826 packets, 1463K bytes) > >>pkts bytes target prot opt in out source > >>destination > >> > >>Chain FORWARD (policy ACCEPT 47 packets, 2163 bytes) > >>pkts bytes target prot opt in out source > >>destination > >> 0 0 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:80 MARK set 0x64 > >> 0 0 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:443 MARK set 0x64 > >> 0 0 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>192.168.0.0/16 <http://192.168.0.0/16> tcp dpt:80 MARK set 0x64 > >> 10 471 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:21 MARK set 0x65 > >> 0 0 MARK udp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> udp dpt:53 MARK set 0x66 > >> 4 336 MARK icmp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> MARK set 0x66 > >> 10 471 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>192.168.0.0/16 <http://192.168.0.0/16> tcp dpt:21 MARK set 0x67 > >> > >>Chain OUTPUT (policy ACCEPT 2500 packets, 341K bytes) > >>pkts bytes target prot opt in out source > >>destination > >> > >>Chain POSTROUTING (policy ACCEPT 66605 packets, 9144K bytes) > >>pkts bytes target prot opt in out source > >>destination > >> > >> > >> > >> > >>My problem is; when I fire bwmd and thereafter run bwm_monitor, the > >>monitor does display some counters , but I see no traffic limiting. For > >>example, if I limit ftp traffic to 8kb, it makes no effect. And=20 > strangely, > >>ftp counters arent updated. > >> > >>Please help!!! > >> > >> > >>Vishal Singh > >> > >> > >> > >>Vishal Singh > >> > >> > >> > >> > >>------------------------------------------------------- > >>This SF.Net <http://SF.Net> email is sponsored by Yahoo. > >>Introducing Yahoo! Search Developer Network - Create apps using Yahoo! > >>Search APIs Find out how you can build Yahoo! directly into your own > >>Applications - visit=20 > http://developer.yahoo.net/?fr=3Doffad-ysdn-ostg-q22005 > >>_______________________________________________ > >>bwm-tools-tech mailing list > >>bwm...@li... > >>https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech > >> > > >=20 >=20 >=20 --=20 You are in control of your own wonderful life :) |
